A Design and Strategy Blog

Is your cookie compliance half-baked?

You’ve probably seen those banners on some websites notifying you that they’re using cookies and asking you to say it’s OK to make it go away. Or you could just click a little x to make the banner go away without saying it’s OK and continue to browse the website anyway.

Other websites have some tiny text in the footer saying something along the lines of “By using this website, you accept cookies”. This won’t fly with the new General Data Protection Regulations (GDPR) for your EU visitors.

What are cookies again?

We’re talking about bits of data that get placed in your browser by websites. Cookies are used for many things like remembering if you’re logged in, what’s in your shopping cart, your browser history as well as help customize your preferences.

Cookies can also be used by services like Google Analytics to track what pages you look at, for how long, and what search terms you used to land on a page. Advertisers will also track what you’ve looked at and which ads of theirs you clicked on.

The GDPR is really big on privacy, and we wrote more about it recently here. Depending on how some cookies are set up, even if they don’t specifically identify you, could still be used to single you out based on your device, location and other criteria. So cookies will still be a big part of this game of compliance.

Who wants a cookie?

Gone are the days of pre-checking a checkbox to throw someone in your email list, or soliciting them for other unrelated crap they didn’t ask for, at least for our EU friends. You need to let people know if and when you’re capturing their information, what you intend to use it for. And ask if OK first. This includes cookies.

According to the ICO in the UK from their Privacy and Electronic Communications Regulations (PECR), the three basic things you need to do to comply are:

Tell visitors there are cookies on your website

Describe what the cookies are for and why

Get the visitor’s consent to store cookie(s) on their device.

Ideally, you should give visitors an option to opt out of any or all of the cookies that your site serves up while still allowing them to use your website in some capacity after selecting cookies they don’t want.

“Even if the user refuses the user cookie, the cookie is already dropped and the cookie is already tracked,” Guillaume Marcerou, Criteo.

That said, you need to be able to ask the visitor their cookie preference when they first land on your website, before you drop any cookies. Only after they’ve opted in should you start applying cookies.

Cookie cutter

Making your website cookie compliant for the newer regulations doesn’t have to cost a lot of dough. There are services and add-ons you can use, but check with your developer first.

One we’ve found that we like is Insites’ free and open source Cookie Consent. It has three types of compliance you can configure:

Just tell visitors your site uses cookies

Let visitors opt out of cookies

Ask visitors to opt into cookies

For additional granularity, you may want to explore Civic’s Cookie Control that gives visitors the option to opt out of types of cookie categories like analytics marketing and preferences as well as third party opt out support.

Don't get burned

After you’ve done your due diligence and documented all the cookies on your website and what they do, new ones can pop up under your radar.

“In general, a website owner can be held liable for GDPR violations by a third party that is collecting EU personal data by dropping pixels.” Doug McPherson, OpenX

Common third party components like Optimizely, Google and others may insert many new cookies without notice. This includes third party vendors as well as when Javascript libraries are updated.

If you’re not already monitoring, there are services like Fluxguard to help you keep track of third-party code or cookie changes.